Firefox Now Supports HttpOnly Cookies

July 19, 2007

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox, which was released just the other day, now supports it.

When a cookie is HttpOnly the web browser should (see note about firefox implementation below) not allow client side scripts such as JavaScript to have access to the cookie. This can help mitigate the effects of cross site scripting (XSS) attacks.

To set a HttpOnly cookie with ColdFusion you need to use cfheader since cfcookie doesn't yet support HttpOnly.

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

It would be nice if the cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the CFID, CFTOKEN and jsessionid cookies httpOnly, or secure cookies.

Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.

Here's a MSDN doc with some additional info about HttpOnly.

Firefox's implementation of HttpOnly however still leaves open a big hole, as RSnake points out, you can do an XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the Set-Cookie from the AJAX HTTP response header. +1 for MSIE.

Related Entries

12 people found this page useful, what do you think?


Either I'm miss reading something or you forgot the word "not" in the first sentence of the second paragraph (before the parenthesis).
Shouldn't that be NOT allow? I was confused until I went to the MSDN site.
You left a 'not' out of the 2nd paragraph - that confused me for a while because TFA goes on to say 'This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.'
@Pete: Did you mean to say: "When a cookie is HttpOnly the web browser should *not* allow client side scripts such as JavaScript to have access to the cookie." ???
@Dan Yes that is what it should say, thanks, fixed.
I'm a little confused and want to clarify. I have one main cookie file and I want to protect it's values. When I added : <cfheader name="Set-Cookie" value="safe=maybe;HttpOnly"> to my Application file it works but as I tool around the site it sets that "safe" value multiple times which I don;t want. So I did: <cfparam name="COOKIE.SECURITY" default="set; HttpOnly"> Is that doing the same thing and will it protect all my values? Or just the "SECURITY" value?
FireFox will patch this bug in the 3.1 release

Post a Comment


Spell Checker by Foundeo

Recent Entries


did you hack my cf?